Tag Archives: bsides

As part of my “Mobile Fail: Cracking open “secure” android containers” talk at BSidesLV I’ve released a couple of scripts I wrote to automate some of the legwork involved in backing up Android applications and automatically unpacking their data and settings. The accompanying script takes the data and settings structure and re-packs it into a working Android Backup file for restoration.

These scripts were used as part of my research to view settings used by applications and in some cases alter the configuration to deactivate secure features or allow access. In some cases it’s also possible to alter configuration files to gain elevated functionality (unpaid… but nobody would ever do that… right!).

The process isn’t new and can be done manually, however automated solutions are always easier…

Requirements:

openssl with zlib support

star (apt-get install star)

Simple Python scripts to perform:

an adb backup of a specific application and uncompress it to a directory structure

recompress a directory structure back into a valid adb restore file

Example usage:

./ab_unpacker.py -p com.app.android -b app.ab

Creates an adb backup of com.app.android called app.ab and uncompresses it into ./com.app.android

./ab_packer.py -d ./com.app.android -b app_edit.ab -o app.ab -r

Repacks the contents of ./com.app.android into app_new.ab and attempts to restore it via adb

… well, there’s nothing like leaving things to the last-minute. So here I am, sitting at the airport waiting for the first leg of the annual pilgrimage to Vegas (aka Hacker Summer camp), writing a last-minute blogpost to pimp a couple of presentations I’m doing next week.

Thu 18:00 -19:00 – Underground Track (Siena)

Mobile Fail: Cracking open “secure” android containers

We’ve known for some time that physical access to a device means game over. In response we’ve begun to rely more and more on “secure” container applications to keep our private and company secrets… well… secret! In this presentation I will discuss specific design flaws in the security of “secure” Applications that promise to keep your data / password and even company email safe and sound.

Although this research isn’t earth shattering by any means (in my opinion anyway… way to sell it to ya eh ;), I think it provides a few valuable insights into the lack of for-thought put into some Android application security. This research (although still at the early stages) focuses on the security of secure container applications and password databases, and how the secured implemented to secure them on the device does little if nothing to stop attackers with physical or root access to a device. Yes, physical access == game over… but in this case, secure containers have been specifically designed with this event in mind. Pity they didn’t put a little more thought into it!

Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys

On the surface most common browsers look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the shiny surface however, the way specific user agents handle traffic varies in a number of interesting and unique ways. This variation allows for defenders to play games with attackers and scripted attacks in a way that most normal users will never even see.

This talk will attempt to show that differences in how different user agents handle web server responses (specifically status codes) can be used to improve the defensive posture of modern web applications while causing headaches for the average script kiddy or scanner monkey!

Furthering the research presented earlier in the year (BSides London) I will be presenting some interesting edge case notes on how mainstream browsers interpret HTTP status / response codes. I live edge case stuff, just because it’s quirky… so expect a certain amount of off the wall weirdness. Browsers are odd at the best of times, but automated scanners and attack tools are even worse. They love it when they get what they expect… not so much when they get something weird.

This is my first time talking at DEF CON… so come along and let me know what you think. Feedback as always, is desired and well received.

So after a few false starts, sneak peaks and other misc things… we have both a logo and a final schedule for the BSidesVienna | Ninjacon 11 conference taking place on 18th june in Vienna.

I’d like to thank everybody who entered the logo competition, in particular Florian Stocker (great entries and so many at that!) and our eventual winner @PxlPhile. The descision wasn’t an easy one… as you can see by the logos that were put forward.

If you want to checkout the schedule and wonder at the excellent presentations we have planned, you can find the schedule here.

For those who aren’t Star Wars fans, a quick search should have led you in the right direction… No droids. Well, as there’s no droids.txt on your average website, you’d be wise to check out the robots.txt page. This page however is more than a simple pointer to robots.txt, it also provides hints and information in the form of HTML comments and Server header responses…

Depending on the User-Agent string you connect with, the X-Hint value and the hidden HTML comment at the start of the page will change. There are a variety of possible values, and I’ll leave them up to you to find if you want… some are funny, some are helpful, some are cryptic! For example, accessing the site with Internet Explorer (or a user-agent string containing ‘IE’) you’ll get ‘X-Hint: Colder than cold’ and the HTML comment ‘Internet Explorer? Really!’. Yeah, I’m a funny man… it’s a curse.

The next hint you can get from this page is in the image itself… Metadata! By pulling down the image and viewing the metadata values with exiftool, you can see a few helpful hints.This is also where the answer can be found.. if you know what value the answer really is! We’ll come back to this later on.

Taking a look at the robots.txt page will give you a few very obvious hints… If you don’t get these, well, there’s no hope.

Looking at the information in robots.txt should lead you to a few places. Obviously solution.php is one of the possible places to get the solution… yes, even though it says it’s not. Sorry, I lied ;) The User-Agent lines should also give you the information you need to find the required hints.

This is where there are two paths you can follow. By using the BSidesViennaChallenge User-Agent string on iknowtheanswer.php and solution.php you get the details on how to email the answer, and the 2 halves of the hash value to use (in solution.php the div id is the first half of the hash, and the second half appears when you make a request using the correct User-Agent string.

iknowtheanswer.php

solution.php

Putting these 2 parts together you get the entire hash, as well as the email address…. 427e5301cc0f2c204c37f37f63976de3 [AT] bsidesvienna [dot] com. However the iknowtheanswer.php also provides you with the path for solution number two by pointing you at the Metadata.

Requests to the start page using the BSidesVienna and BSidesViennaChallenge User-Agent strings will also point you at which of the many Metadata tags you need to use…. ‘Current IPTC Digest’. As we mentioned earlier, running the saved jpg through exiftool we get a range of information… and a few hints if you needed them. The value for IPTC is the same hash we found using solution one… and therefore the correct email address to win a ticket.

You’ll also see a few hints in their like the Make, Camera Model, Maker Notes, and especially the keywords. These all point you to look at the robots.txt, and the ua-tester tool (for testing specific user-agent strings).

No matter which way you looked at the contest there was always a hint to drive things forward if you were looking hard enough that is! Looking at server headers, HTML comments and the differences in data returned from a site are all important aspects of web application penetration testing, and are widely know. That said, i understand not everybody got the answer… I just hope that people had fun in the process, and maybe even learnt something useful.

Congratulations to the winners who got the correct answer, and for those wanting to play around with the challenge, I’ll be leaving the site up to play with for a while yet.

Links

Disclaimer

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!